Does Your CCPA Compliance Mean CPRA Compliance is Automatic?

Depending on the type of data privacy management solutions your organization used to comply with California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, the answer is likely “no.” Passed only 11 months later, the new California Privacy Rights Act (CPRA) builds on the CCPA framework, but it adds four brand new customer rights and modifies five others. That means if you built a custom compliance solution for CCPA, you’ll want to budget for reworking it before CPRA goes into effect in 2023.

The ink on CCPA was barely dry when its successor, CPRA, was taken up—a prime example of just how rapidly the evolution of data privacy is unfolding. In this particular case, it is a fairly major evolution, which underscores the problem the avalanche of new data privacy laws causes for today’s enterprise. While the core tenets of data privacy are the same, every one of them has unique differences—sometime large differences. Even the enterprise that starts compliance preparations early for one regulation will also have to deal with new and changed regulations from other states and countries.

Focusing on CPRA, let’s take a quick look at how it differs from CCPA and what it could mean for an enterprise whose data privacy management solution is still scrambling to comply with the latter.

If CCPA was stringent for data privacy, compliance for CPRA is even tougher

When California passed the CCPA in 2018, it became the toughest data privacy law in American history. We’ve discussed how CCPA and its enforcement changed over the course of 2020, not to mention some of the steep fines the state can apply for non-compliance. We’ve also summarized some of the core consumer rights protected by CCPA and other similar mandates (like GDPR). With CPRA, businesses are, once again, faced with a two-year timetable to comply with even more stringent requirements for how they can (and cannot) handle the data they collect about consumers. While general enforcement of CPRA begins on January 1, 2023, all consumer data collected from January 1, 2022—and the consumers on which it was collected—will be subject to the new regulations.

As mentioned, CPRA expands the rights of consumers with respect to control over their personal data. Some of the new rights pertain not only to personal information (PI) as defined by CCPA, but CPRA’s newly defined (and more strongly regulated) category of Sensitive Personal Information (SPI). SPI includes a consumer’s financial and identity data, as you might imagine. However, it also includes race/ethnicity data, genetic and biometric data, health and insurance information, religious and political affiliations and more—all of which are similar to the European Union and GDPR’s definition of SPI.

What’s new and what’s changed

CPRA adds the following new consumer rights:

• Right to correction – Consumers can request correction of PI/SPI data they believe is inaccurate.
• Right to know about automated decision making – Consumers can ask to know how automated decision technologies work, how they use PI and SPI, and the likely outcomes thereof.
• Right to opt-out of automated decision making – Consumers can decline use of their data to make automated inferences (such as profiling for targeted ads campaigns).
• Right to limit use of sensitive personal information – Consumers can restrict use of SPI and sharing with third parties.

In addition, CPRA expands the scope of the following rights as initially defined by CCPA, making the requirements for compliance even tougher than before:

• Right to delete – Businesses must now notify third parties to delete PI as well.
• Right to know – Expands data access request beyond the original 12 months specified by CCPA.
• Right to opt-out – Can now opt-out of sharing (not just sale of) their PI for advertising purposes.
• Rights of minors – Opt-in requirements for minors now includes sharing of PI for advertising.
• Right to data portability – Consumers can request their PI transported to another business.

More than ever, it’s not a workflow, people, or process problem. It’s a data problem.

These highlights are just the merest summary of the changes that CPRA will bring to enterprises, even those that have already implemented data privacy management solutions for CCPA. The primary changes—all of those mentioned before and more—are related to data. Data that is still scattered and fragmented across the enterprise in dozens, hundreds, or even thousands of application and databases. Which means that any organization dealing with customers in California—such as your organization—has to go back and revisit the compliance management software you put in place for CCPA (and GDPR and LGPD and on and on).

Are you ready for CPRA? Let’s find out.

• If you implemented a custom data privacy management solution, get ready for a major revamp of the code. Maintaining custom code to integrate even a handful of enterprise apps and datastores can be a nightmare to maintain, not to mention hundreds of them.
• If your solution uses a traditional data warehouse or data lake approach to accessing all your customer’s PI and SPI in one place, access will require searching and joining millions (even billions) of rows of data to find one customer’s data—and changes won’t propagate back to source systems.
• If you deployed a data privacy workflow or case management-based system, the bulk of the manual work to access the data is still on your employees—and CPRA just adds more data privacy use cases for them to handle manually.

If you aren’t ready for CPRA, you’re not ready for all the future regulations that will be passed (and later updated) in other states and countries. We expect data privacy will eventually become federal legislation in the United States, adding yet another level of complexity for compliance.

To truly manage the complexity of data privacy compliance, you first need to resolve the data problem. To start, you need a single, up-to-date, and complete view of every customer—regardless of how many siloed applications and databases that data comes from. Then your compliance management software can apply the appropriate configurations, algorithms, and orchestrations to that single source to automate compliance, no matter how many data privacy regulations apply.

Forward-thinking companies are achieving regulatory peace of mind with solutions like K2View Data Privacy Management. To learn more about CCPA and data privacy management solutions, connect with us here.